Security analysis of communication system 
based on the synchronization of different 
order chaotic systems 



Gonzalo Alvarez a '*, Luis Hernandez a , Jaime Murioz a , 
Fausto Montoya a and Shujun Li b 

^Institute de Fisica Aplicada, Consejo Superior de Investigaciones Cientificas, 
Serrano 144, 28006-Madrid, Spain 

b Department of Electronic and Information Engineering, Hong Kong Polytechnic 
University, Hung Horn, Kowloon, Hong Kong SAR, China 



Abstract 

This letter analyzes the security weakness of a recently proposed communication 
method based on chaotic modulation and masking using synchronization of two 
chaotic systems with different orders. It is shown that its application to secure 
communication is unsafe, because it can be broken in two different ways, by high- 
pass filtering and by reduced order system synchronization, without knowing neither 
the system parameter values nor the system key. 
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1 Introduction 



In recent years, a considerable effort has been devoted to extend the chaotic 
communication applications to the field of secure communications. It has been 
noticed that there exists an interesting relationship between chaos and cryp- 
tography: many properties of chaotic systems have their corresponding coun- 
terparts in traditional cryptosystems, such as: 
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• Ergodicity and Confusion: The output has the same distribution for any 
input. 

• Sensitivity to initial conditions/control parameter and Diffusion with a 
small change in the plaintext /secret key: A small deviation in the input 
can cause a large change at the output. 

• Mixing property and Diffusion with a small change in one plain-block of 
the whole plaintext: A small deviation in the local area can cause a large 
change in the whole space. 

• Deterministic dynamics and Deterministic pseudo-randomness: A determin- 
istic process can cause a random-like (pseudo-random) behavior. 

• Structure complexity and Algorithm (attack) complexity: A simple process 
has a very high complexity. 

As a result of investigating the above relationships, a rich variety of chaos- 
based cryptosystems for end-to-end communications have been proposed 
[1,2,3,4,5,6], some of them fundamentally flawed by a lack of robustness and 
security [7,8,9,10,11,12,13]. 

Most analog chaos-based cryptosystems are secure communication schemes 
designed for noisy channels, based on the technique of chaos synchronization, 
first shown by Pecora and Carrol [14]. 

Reduced order synchronization is a new interesting topic which has recently 
drawn attention from several researchers [15,16,17]. In [16] it is shown that 
second order driven oscillators can be synchronized with canonical projection 
of a higher order chaotic system by means of non-linear feedback. 

In a recent paper Bowong proposed a scheme based on reduced order synchro- 
nization and feedback with application to secure communications [18]. The 
transmitter is a four-order chaotic oscillator, modulated by the plaintext and 
whose output is added to the plaintext as a masking signal. The receiver con- 
sists of a Duffing second-order system, that is enslaved to the transmitter by 
means of non-linear feedback of the error. 

Bowong presented two examples based on the plaintext modulation of a chaotic 
oscillator and subsequent additive masking of the plaintext with the oscillator 
signal. The following equation system defines the transmitter operation: 
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with parameter values: 

a = 0.03, b = 1, c = 0.3, d = 0.985, / = 0.1, (2) 

where the function e(t) was specified as e(t) = 0.7cos(t) and being the term 
u{t) the plaintext message. The signal x/t = %\ m + u(t) constitutes the trans- 
mitted ciphertext to the receiver end. Actually, the above Eq. (1) is written 
as it should be, in spite of the erroneous formulation given in (14) of [18, §4]. 

The receiver was constructed as follows: 

Xxs X 2s) 

x 2s = - Xx 2s - ^x ls - ^x\ s + Kx cos(cJit + 6x) + K 2 cos(uj 2 t + 2 ) + v, 

ys Xxsi 

with parameter values: 

A = 1, oj = 10, 7 = 100, Kx = K 2 = 1, ujx = 2,uo 2 = 4, Q x = 2 = 0, (3) 

and where v is the feedback control law which forces the error e = Xx s — Xx m 
to converge exponentially to zero as t — > oo. 

The retrieved plaintext u(t) is calculated as the difference between the cipher- 
text and the output of the reduced order system u(t) = Vt — Vs = u(t) — e. 
It was shown that the transmitter-receiver system was capable of accurately 
retrieving the plaintext after an initial synchronization period of 10 seconds. 
Afterwards it was claimed that the system can be used for secure communi- 
cations and some examples are provided. 

In this letter it is shown that the proposed cryptosystem is insecure and two 
different procedures to break it are also presented: by high-pass filtering and 
by means of a simple reduced order intruder receiver. 



2 Missing security analysis and system key specification 

In [18], the author asserted that the scheme is applicable to secure communi- 
cation. However, no analysis of security was included to support this claim. 
Furthermore, there is no mention of the secret key, when it is well known that 
a secure communication system cannot exist without a key. In [18] it is not 
considered whether there should be a key in the proposed system, what it 
should consist of, what the available key space would be (how many different 
keys exist in the system), what precision to use, and how it would be man- 
aged. None of these elements should be neglected when describing a secure 
communication system [19]. 
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Moreover, being the transmitter and the receiver implemented with different 
kind of systems, it is not explained how the encryption keys, if any, may 
be related to the corresponding decryption keys. Usually, in many chaotic 
cryptosystems the system parameters play the role of key, but it is not the 
case in [18], because the transmitter and the receiver do not make use of the 
same parameters. 



3 Plaintext retrieval by a filtering attack 

It was supposed for some time that chaotic masking was an adequate means 
for secure transmission, because chaotic systems present some properties as 
sensitive dependence on parameters and initial conditions, ergodicity, mixing, 
and dense periodic points. These properties make them similar to pseudo- 
random noise [20], which has been used traditionally as a masking signal for 
cryptographic purposes. The basic fundamental requirement of the pseudo- 
random noise used in cryptography is that its spectrum should be infinitely 
broad, flat and of much higher power density than the signal to be concealed. 
In other words, the plaintext power spectrum should be effectively buried into 
the pseudorandom noise power spectrum. 

The secure application proposed in [18] does not satisfy this condition. On the 
contrary, the spectrum of the signal generated by the chaotic oscillator is of 
narrow band, decaying very fast with increasing frequency, showing a power 
density much lower than the plaintext at the plaintext frequencies used. Hence 
it can not cope with a filtering attack intended to separate the masking signal 
and the plaintext. 

To illustrate this fact we consider the the two examples in [18, §4] correspond- 
ing to the following plaintexts: 

Ui(t) = cos(7t), 

u 2 (t) = (1 + sin(0.2t)) cos(7t), 

whose waveforms are illustrated in Fig. 1. 

The transmitter proposed in [18] was simulated with a four-order Runge- 
Kutta integration algorithm in MATLAB 6.5, with a step size of 10~ 3 . Fig. 2 
illustrates the logarithmic power spectra, as a function of frequency, of the ci- 
phertexts i/ti and yT2 when the plaintext signals U\{t) and U2(t) are encrypted, 
respectively, with the same parameter values previously described in (2). The 
power spectra were calculated using a 8192-point Discrete Fourier Transform 
with a sampling frequency of 32 Hz; previously, the analyzed signal segments 
were multiplied by a 4-term Blackman- Harris window [21], to avoid aliasing 
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artifacts. 



It can be seen in both examples that the plaintext signal components clearly 
emerge at 1.114 Hz over the background noise created by the chaotic oscillator, 
with a power of —3 db, relative to the maximum power of the ciphertext spec- 
trum, while the power density of the ciphertext, at neighboring frequencies, 
falls below —80 db. 

The chaotic receiver of [18] was not used to recover the plaintext. Instead, 
the ciphertext was high-pass filtered to eliminate the chaotic masking com- 
ponent while retaining the plaintext information. The result is illustrated in 
Fig. 3. Comparing the result with the plaintext displayed in Fig. 1, it can 
be appreciated the good estimation of the plaintexts after an initial delay of 
approximately 29 seconds, due to the filter delay. The filter employed was a 
2048 samples finite impulse response digital one, with a cut-off frequency of 
1 Hz. 

Note that this is the hardest case an attacker can face from the point of view 
of plaintext frequency, because for higher sound frequencies the spectrum of 
the background noise created by the chaotic oscillator is even lower. 

This plaintext recovering method works equally well for different parameters 
values of the transmitter, because the maximum power components of its 
spectrum are concentrated in the frequency range between and 0.3 Hz for 
all parameter values. 

Thanks to the big separation between the plaintext frequency and the high 
amplitude components of the masking chaotic signal, our method works 
equally well with plaintext signals of much lower amplitudes than the plain- 
texts U\(t) and U2(t) of the examples described in [18]. For instance, we 
present in Fig. 4 the retrieved text corresponding to the plaintext u^t) = 
0.0032(1 + sin(0.2i)) cos(7t), that has a power level of -50db with respect to 
U2(t); but, as can be seen, the retrieved signal waveform is still perfectly pre- 
served. 



4 Plaintext retrieval by reduced order system synchronization 

As mentioned in Sec. 1, many secure communication systems based on chaotic 
modulation and masking have been proposed in the past. In any of them the 
knowledge of the transmitter parameter values was mandatory to operate the 
receiver, since they played the role of system key. Some of them were compro- 
mised because it was possible to recover the system parameters carrying out 
an elaborate ciphertext signal analysis. 
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But the chaotic transmitter and the modulation and masking procedure de- 
scribed in [18] was designed in such a way as to enable the plaintext retrieval 
with a reduced order receiver that did not even required the knowledge of 
any transmitter parameters. As a true encryption mechanism must necessar- 
ily make use of a key, this communication system may be only envisaged as 
an ordinary codification system, rather than a secure one, because the only 
required knowledge to recover the plaintext message is the receiver structure. 

Moreover, it is possible to implement a whole family of alternative receivers to 
the one proposed in [18]. Hence, a determined eavesdropper, still ignoring the 
precise structure of the transmitter nor its design parameters, may implement 
an alternative intruder receiver of its own design, also based on reduced order 
synchronization and feedback, capable of retrieving the ciphertext just as well 
as the authorized one. 

To demonstrate this threat we have developed an extremely simple intruder 
receiver of order two, with linear feedback, constructed as follows: 

•Els ^2sy 

x 2s = 100 u(t) - x 2s , 

being u(t) = yr — x\ s the retrieved plaintext. The initial conditions were 
arbitrarily chosen as 

zi m (0) = x 2m (0) = x 3m (0) = x 4m (0) = 0,xi s (0) = 0.1,x 2s (0) = 1. 

This simple receiver may decrypt the ciphertext as well as the receiver pro- 
posed in [18]. Fig. 5 illustrates the perfect synchronism between the trans- 
mitter variable x± m and our intruder receiver variable x± s , attained after a 
transient of 4 seconds, when no plaintext signal is present. The efficiency 
as intruder decoder is illustrated in Fig. 6, where the retrieved iii(t) and 
u 2 {t) texts corresponding to the plaintexts ui(t) = cos(7t) and u 2 {t) = 
(l + sin(0.2 t)) cos(7 t) are shown, comparing with the plaintexts illustrated in 
Fig. 1 it can be appreciated the perfect decoding after a short initial transient. 



5 Conclusion 

In summary, the chaotic masking cryptosystem proposed in [18] is rather weak, 
since it can be broken in two different ways, without knowing the system 
parameters nor it detailed structure: by high pass filtering and by an intruder 
receiver based on reduced order synchronization and feedback. There is no 
mention about what the key is, nor what the key space is, a fundamental aspect 
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in every secure communication system. The total lack of security discourages 
the application of this synchronization scheme to secure applications. 
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Fig. 1. Plaintext examples described in [18]: (a) ui(t) = cos(7i); (b) 
u 2 {t) = (1 + sin(0.2t)) cos(7f). 



9 





0.5 1 1.5 2 

Frequency (Hz) 



Fig. 2. Logarithmic power spectra of the ciphertexts yxi and yx2'- (a) corre- 
sponding to the plaintext ui(t) = cos(7i); (b) corresponding to the plaintext 
u 2 (t) = (1 + sin(0.2f)) cos(7t). 
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Fig. 3. Retrieved texts tti(i) and U2(t), by high pass filtering of the two plaintext 
examples: (a) ui(t) = cos(7i); (b) u^if) = (1 + sin(0.2 t)) cos(7 t). 
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Fig. 4. Retrieved text U3(t) by high-pass filtering of the ciphertext yx = Xi m + Us(t), 
corresponding to the low power level plaintext u-s(t) = 0.0032(1 + sin(0.2t)) cos(7t). 
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Fig. 5. Synchronism between transmitter and intruder receiver, when no plaintext 
signal is present: (a) transmitter variable x\ m v. time; (b) receiver variable x\ s v. 
time. 





Fig. 6. Retrieved texts ii\{t) and U2(t), by our intruder receiver for the two plaintext 
examples: (a) u\(t) = cos(7t); (b) U2(t) = (1 + sin(0.2 t)) cos(7 t). 
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